packages/tang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 14

Browse Source
This commit is contained in:
wu-leilei 2023-10-07 14:52:34 +08:00
parent b1bb981821
commit 24dc8ca2dd
4 changed files with 27 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2023-1672.patch
View File

@ -1,51 +0,0 @@
From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 14 Jun 2023 10:53:20 -0300
Subject: [PATCH] Fix race condition when creating/rotating keys (#123)
When we create/rotate keys using either the tangd-keygen and
tangd-rotate-keys helpers, there is a small window between the
keys being created and then the proper ownership permissions being
set. This also happens when there are no keys and tang creates a
pair of keys itself.
In certain situations, such as the keys directory having wide open
permissions, a user with local access could exploit this race
condition and read the keys before they are set to more restrictive
permissions.
To prevent this issue, we now set the default umask to 0337 before
creating the files, so that they are already created with restrictive
permissions; afterwards, we set the proper ownership as usual.
Issue reported by Brian McDermott of CENSUS labs.
Fixes CVE-2023-1672
Refer:
https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
https://ubuntu.com/security/CVE-2023-1672
Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
src/tangd-keygen | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tangd-keygen b/src/tangd-keygen
index 20d498e..d894ece 100755
--- a/src/tangd-keygen
+++ b/src/tangd-keygen
@@ -27,6 +27,9 @@ fi
[ $# -eq 3 ] && sig=$2 && exc=$3
+# Set default umask for file creation.
+umask 0337
+
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$sig.jwk
--
2.33.0

BIN
tang-14.tar.xz Normal file
View File

Binary file not shown.

BIN
tang-7.tar.bz2
View File

Binary file not shown.

61
tang.spec
View File

@ -1,15 +1,14 @@
Name: tang Name: tang
Version: 7 Version: 14
Release: 3 Release: 1
Summary: Server for binding data to network presence Summary: Server for binding data to network presence
License: GPLv3+ License: GPLv3+
URL: https://github.com/latchset/%{name} URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0: CVE-2023-1672.patch
BuildRequires: gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel BuildRequires: gcc meson jose libjose-devel libjose-zlib-devel libjose-openssl-devel
BuildRequires: http-parser-devel systemd-devel pkgconfig systemd curl BuildRequires: http-parser-devel systemd-devel pkgconfig systemd curl
BuildRequires: asciidoc coreutils grep sed BuildRequires: asciidoc coreutils grep sed iproute
Requires: coreutils jose grep sed Requires: coreutils jose grep sed
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -35,24 +34,15 @@ the encryption key. This process is the recovery step.
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version} -p1
%build %build
%configure %meson
%make_build %meson_build
%install %install
%make_install %meson_install
%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
%{__sed} -i 's|DirectoryMode=0700||' %{buildroot}/%{_unitdir}/%{name}d-update.path
%{__sed} -i 's|MakeDirectory=true||' %{buildroot}/%{_unitdir}/%{name}d-update.path
echo "User=%{name}" >> %{buildroot}/%{_unitdir}/%{name}d-update.service
echo "User=%{name}" >> %{buildroot}/%{_unitdir}/%{name}d@.service
install -d %{buildroot}/%{_localstatedir}/cache/%{name}
install -d %{buildroot}/%{_localstatedir}/db/%{name}
%check %check
if ! make %{?_smp_mflags} check; then %meson_test
cat test-suite.log
false
fi
%pre %pre
getent group %{name} >/dev/null || groupadd -r %{name} getent group %{name} >/dev/null || groupadd -r %{name}
@ -63,41 +53,44 @@ exit 0
%post %post
%systemd_post %{name}d.socket %systemd_post %{name}d.socket
%systemd_post %{name}d-update.path
%systemd_post %{name}d-update.service if [ -d /var/db/tang ]; then
%systemd_post %{name}d-keygen.service for k in /var/db/tang/*.jwk; do
test -e "${k}" || continue
chmod 0440 -- "${k}"
done
for k in /var/db/tang/.*.jwk; do
test -e "${k}" || continue
chmod 0440 -- "${k}"
done
chown tang:tang -R /var/db/tang
fi
%preun %preun
%systemd_preun %{name}d.socket %systemd_preun %{name}d.socket
%systemd_preun %{name}d-update.path
%systemd_preun %{name}d-update.service
%systemd_preun %{name}d-keygen.service
%postun %postun
%systemd_postun_with_restart %{name}d.socket %systemd_postun_with_restart %{name}d.socket
%systemd_postun_with_restart %{name}d-update.path
%systemd_postun_with_restart %{name}d-update.service
%systemd_postun_with_restart %{name}d-keygen.service
%files %files
%license COPYING %license COPYING
%attr(0750, %{name}, %{name}) %{_localstatedir}/cache/%{name}
%attr(2570, %{name}, %{name}) %{_localstatedir}/db/%{name} %attr(2570, %{name}, %{name}) %{_localstatedir}/db/%{name}
%{_unitdir}/%{name}d-keygen.service
%{_unitdir}/%{name}d-update.service
%{_unitdir}/%{name}d-update.path
%{_unitdir}/%{name}d@.service %{_unitdir}/%{name}d@.service
%{_unitdir}/%{name}d.socket %{_unitdir}/%{name}d.socket
%{_libexecdir}/%{name}d-keygen %{_libexecdir}/%{name}d-keygen
%{_libexecdir}/%{name}d-update %{_libexecdir}/%{name}d-rotate-keys
%{_libexecdir}/%{name}d %{_libexecdir}/%{name}d
%{_bindir}/%{name}-show-keys %{_bindir}/%{name}-show-keys
%files help %files help
%{_mandir}/man8/tang.8* %{_mandir}/man8/tang.8*
%{_mandir}/man1/tang-show-keys.1* %{_mandir}/man1/tang-show-keys.1*
%{_mandir}/man1/tangd-rotate-keys.1.gz
%changelog %changelog
* Thu Sep 28 2023 wulei <wu_lei@hoperun.com> - 14-1
- Update to 14
* Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-3 * Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-3
- Fix CVE-2023-1672 - Fix CVE-2023-1672